Commit 096dcce8 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Liu Jian
Browse files

io_uring/af_unix: disable sending io_uring over sockets 

stable inclusion
from stable-v5.10.204
commit 3fe1ea5f921bf5b71cbfdc4469fb96c05936610e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8RWPE
CVE: CVE-2023-6531

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3fe1ea5f921bf5b71cbfdc4469fb96c05936610e



---------------------------

commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.

File reference cycles have caused lots of problems for io_uring
in the past, and it still doesn't work exactly right and races with
unix_stream_read_generic(). The safest fix would be to completely
disallow sending io_uring files via sockets via SCM_RIGHT, so there
are no possible cycles invloving registered files and thus rendering
SCM accounting on the io_uring side unnecessary.

Cc:  <stable@vger.kernel.org>
Fixes: 0091bfc8 ("io_uring/af_unix: defer registered files gc to io_uring release")
Reported-and-suggested-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent d5c6fe96

io_uring/io_uring.c

+0 −55
Original line number Diff line number Diff line
@@ -8430,49 +8430,6 @@ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, 
	return ret;

}



static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,

				int index)

{

#if defined(CONFIG_UNIX)

	struct sock *sock = ctx->ring_sock->sk;

	struct sk_buff_head *head = &sock->sk_receive_queue;

	struct sk_buff *skb;



	/*

	 * See if we can merge this file into an existing skb SCM_RIGHTS

	 * file set. If there's no room, fall back to allocating a new skb

	 * and filling it in.

	 */

	spin_lock_irq(&head->lock);

	skb = skb_peek(head);

	if (skb) {

		struct scm_fp_list *fpl = UNIXCB(skb).fp;



		if (fpl->count < SCM_MAX_FD) {

			__skb_unlink(skb, head);

			spin_unlock_irq(&head->lock);

			fpl->fp[fpl->count] = get_file(file);

			unix_inflight(fpl->user, fpl->fp[fpl->count]);

			fpl->count++;

			spin_lock_irq(&head->lock);

			__skb_queue_head(head, skb);

		} else {

			skb = NULL;

		}

	}

	spin_unlock_irq(&head->lock);



	if (skb) {

		fput(file);

		return 0;

	}



	return __io_sqe_files_scm(ctx, 1, index);

#else

	return 0;

#endif

}



static int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,

				 struct io_rsrc_node *node, void *rsrc)

{
@@ -8530,12 +8487,6 @@ static int io_install_fixed_file(struct io_kiocb *req, struct file *file, 


	*io_get_tag_slot(ctx->file_data, slot_index) = 0;

	io_fixed_file_set(file_slot, file);

	ret = io_sqe_file_register(ctx, file, slot_index);

	if (ret) {

		file_slot->file_ptr = 0;

		goto err;

	}



	ret = 0;

err:

	if (needs_switch)
@@ -8649,12 +8600,6 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx, 
			}

			*io_get_tag_slot(data, i) = tag;

			io_fixed_file_set(file_slot, file);

			err = io_sqe_file_register(ctx, file, i);

			if (err) {

				file_slot->file_ptr = 0;

				fput(file);

				break;

			}

		}

	}

net/core/scm.c

+6 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ 
#include <linux/nsproxy.h>

#include <linux/slab.h>

#include <linux/errqueue.h>

#include <linux/io_uring.h>



#include <linux/uaccess.h>
@@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) 


		if (fd < 0 || !(file = fget_raw(fd)))

			return -EBADF;

		/* don't allow io_uring files */

		if (io_uring_get_socket(file)) {

			fput(file);

			return -EINVAL;

		}

		*fpp++ = file;

		fpl->count++;

	}